Recently we heard about the healthcare hack using Heartbleed, harvesting 4.5 million records from Community Health Systems, or 1.4% of everyone in the USA. This breach is a clear issue where HIPAA regulations and protections were violated and the Chinese hackers stole patients’ Social Security numbers, names and addresses. Then there’s the UPS hack with a mere 100,000 credit card record accessed, but over an almost 8 month period from between January 20, 2014 and August 11, 2014.
Of course the healthcare hack has far more impact than UPS but the point is that our world-wide economy continues to be vulnerable to attack for multiple reasons. First, with the CHS hack it is clear – if what is reported is true – is that simple well known IT security policies and methods are not being followed. Whatever the reason, money, skills, commitment – it does not matter.
Second, some attacks are far more sophisticated than others and though software and hardware protection systems might exist there is a lack of skills, money and potentially understanding of the risks. A mom and pop UPS store is not going to notice something on the transaction system and they cannot expected to be able to.
Community Health Systems, on the other hand, should be able to recognize something – and do something about it – especially after Target incident. If the Community Health Systems is really what is reported and there was a lack of quick patching, then I suspect some serious legal trouble ahead for them. Last but certainly not least is the lack of security from the OS to the disk. It is time (as I have been saying for a long long time) for SELinux security controls.
How many more hacks, lawsuits and disruption is it going to take?
Photo courtesy of Shutterstock.